PHP :: Request #72247 :: There is no way to get key length for cipher algorithms

There is no way to get key length for cipher algorithms

Submitted:

2016-05-20 02:46 UTC

Modified:

2019-09-19 01:55 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

S-sword at s-sword dot net

Assigned:

Status:

Analyzed

Package:

OpenSSL related

PHP Version:

master-Git-2016-05-20 (Git)

OS:

Windows10/CentOS7.2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	S-sword at s-sword dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-05-20 02:46 UTC] S-sword at s-sword dot net

Description:
------------
Current implementation of OpenSSL functions has openssl_cipher_iv_length, obtaining the initialize vector length for ciphers, but no way to get key length. 
Moreover, in the function openssl_encrypt, the argument $password is used simply as key and cut off if longer than algorithm specified max key length (see below example). 
Then it is insecure to pass the raw password to openssl_enctypt, so we want to apply PBKD; Password Based Key Derivation, in php implemented as Hash functions (hash_pbkdf2), but this algorithm requires the key length.
This is why we cannot migrate from mcrypt to openssl (in mcrypt functions, mcrypt_get_key_size is defined).

To summarize the above, we need the way to get max key length for cipher algorithms, like openssl_cipher_key_length. 

Test script:
---------------
echo(openssl_encrypt('aaa', 'aes-256-cbc', str_pad('', 256, '0')).PHP_EOL);
echo(openssl_encrypt('aaa', 'aes-256-cbc', str_pad('', 300, '0')).PHP_EOL);

// These two code pass different passwords to openssl_encrypt but get same result.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-09-19 01:55 UTC] bishop@php.net

-Status: Open +Status: Analyzed

[2019-09-19 01:55 UTC] bishop@php.net

Key length available via either EVP_CIPHER_key_length or EVP_CIPHER_CTX_key_length. Would need to decide if we're going to support variable length ciphers or not. Eg, a signature of:

openssl_get_key_length(string $cipher): int|false

or

openssl_get_key_length(string $cipher, string $encryption_mode): int|false

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2019 The PHP Group All rights reserved.	Last updated: Sat Sep 21 21:01:26 2019 UTC